Pit stop for SWIFT CSP compliance and IT security

IT organizations can be vulnerable, and the more they participate in shared infrastructures, the more important the roles of IT security and compliance are. Users must feel confident that all jointly agreed upon security standards are adhered to. The SWIFT network is a shining example of how sensitive data can be securely protected.

What do the terms SWIFT, SWIFT network and Customer Security Program (CSP) mean?

SWIFT stands for "Society for Worldwide Interbank Financial Telecommunication." The cooperative organization, headquartered in Brussels, connects more than 11,000 banks and companies with one another around the world. The SWIFT network is a messaging network its members use to send and receive financial information, such as bank statements, payment instructions and digital trade finance. These messages contain sensitive data which could be damaging to a company in the event of fraud. To prevent cybercrimes, all SWIFT members must take part in the Customer Security Program (CSP). The annual CSP assessment requirement needs to be completed by an internal assessor or independent external assessor.

What areas does the SWIFT CSP assessment shed light on? 
The ‘Independent Assessment Framework’ (A SWIFT published document) lists seven security-relevant areas that must be checked and documented:

1. How is access restricted, especially how are critical systems within the shared IT environment protected?
2. What preventive measures are in place to reduce vulnerability and attacks?
3. How is the IT environment physically protected?
4. What preventive measures are in place to prevent hacking of login data?
5. How are identities, roles and authorizations administered?
6. Is there screening for abnormalities, and how are they documented?
7. What do the action and notification plans for emergencies look like?

For banks that have already established comprehensive IT security measures and processes, such an in-depth assessment is feasible. On the other hand, companies whose core focus is not banking communication and security, but are required to perform an assessment as a SWIFT member, could find it challenging. With help from the Coupa SWIFT Services Team, becoming and staying SWIFT compliant is uncomplicated. 

What risks do SWIFT users face if they do not adhere to compliance rules? 

Companies that miss the deadline for submitting their self-attestation or do not comply with required controls for the CSP assessment (among other reasons) are marked as "non-compliant". This can lead to banks having compliance issues on their end as business with "non-compliant" parties might be considered unsecure. If companies cannot provide documentation that proves they are working on becoming compliant, this could lead to termination of the business relationship.

‘SWIFT Services’ from Coupa

Coupa therefore established ‘SWIFT Services’ for its SWIFT customers. As a certified L2BA provider, Coupa can quickly and easily connect companies to the SWIFT network as members of SCORE (Standard Corporate Environment).

Being both Coupa Treasury and SWIFT Services customers, companies benefit from our understanding of their system architecture types and how to better utilize the network for collecting account statements, payment instructions and digital trade finance. Well established ‘best practices’ learned over the years serve as the team’s base model when assisting a customer with completing a SWIFT assessment.

This knowledge allows Coupa to prepare the SWIFT CSP assessment at little cost and time for our customers. A pitstop, where a company receives confirmation they are SWIFT compliant, and simultaneously make IT security a priority. Areas covered in the SWIFT assessment can also help shed light on company-wide IT security benefits. From the creation of a password policy and documented compliance about it, to the set up of Single Sign-On (SSO) and AI-supported fraud detection.

In addition to handling the annual CSP assessment, Coupa’s ‘SWIFT Services’ team provides token management. Allowing Coupa to manage your tokens not only alleviates time consuming token work off your shoulders, but also automatically makes you compliant with one of the required SWIFT CSP controls. 

What our customers love about Coupa ‘SWIFT Services’: Security, performance and speed

Our customers find SWIFT Services to be cost-effective and valuable. 

As the single point of contact, the team takes care of all your SWIFT needs, as well as, the required annual assessment and token management.

Nico Hunziker, Corporate Treasurer at E.G.O. Elektro-Geräte, describes how a regular assessment helps their company: "A review helps your company not to become "operationally blind": It's good that we regularly look at various measures with someone from outside to improve the issue of security around Coupa Treasury. That helps us to maintain awareness."

Our customer Stefan Maßer from SPAR confirms: "Coupa's SWIFT Services encompasses more and is more cost-effective than the assessment services from consulting firms." And John Heavey, Corporate Treasurer, gets directly to the point: "Your service is worth every penny." 

The speed at which Coupa carries out the assessment is a great benefit to customers. The ‘SWIFT Services’ team starts with an introductory kick-off meeting before performing the assessment. During which, Coupa explains SWIFT’s compliance expectations clearly, minimizing the customer’s time spent looking for evidence.

"Coupa leads us through the SWIFT CSP assessment. We in treasury can concentrate on our tasks and the entire company benefits from more IT and process security." summarizes Eva Hess, Senior Manager Treasury and Risk Management, at Siegfried.